The DNC Begins Cybersecurity Effort To Try To Make Sure 2016 Doesn’t Happen Again

Phishing drills, top Silicon Valley hires, constant cybersecurity education, emails in the cloud, Tom Perez on Signal, and end-to-end encryption apps like Wickr, which the rest of the Democratic party committees have already adopted. The DNC’s new CTO, now concluding an internal security review, wants a “culture change inside the building.”

On his second day at Democratic National Committee, sitting in a meeting at the party’s headquarters south of Capitol Hill, Raffi Krikorian looked around the room and realized he was the only technology staffer at the table.

For the DNC’s new chief technology officer — now six weeks into his first job in politics after working at Silicon Valley companies like Uber and Twitter — that’s what had to change to prevent the kind of hacks that upended last year’s presidential election.

He wants the technology team everywhere. (“My end goal is how do we get to a world where there is no one reporting to the CTO anymore.”) He wants a steady, endless trickle of education about cybersecurity. (“It has to be part of on-boarding. It has to be part of every conversation, every time we have a meeting.”) He wants regular phishing email drills, for the party’s lowest-level staffers up to the chair. (“There’s literally a simulated phishing attack on the DNC right now. We started about an hour ago.”)

It’s about a “culture change inside the building” — to “get everyone’s guard up” and create an instinctive, daily cybersecurity reflex. “If you see something say something,” Krikorian said in an interview. “Our electronic landscape is not a friendly landscape.”

Krikorian, 39, said he felt his “continuous poking and prodding” was starting to work when the chair of the DNC, Tom Perez, walked into the CTO’s office one day and announced that he had downloaded the encrypted messaging app, Signal.

“I thought, ‘Thank god.’ If the chair is proactively doing that, then we’re making this culture change inside the building of just even thinking about these problems.”

Later, Perez stood up at an all-staff meeting and told aides, “‘If you guys talk to me, you’re going to use Signal,’” Krikorian recalled. “Just getting that into the ethos of the DNC is a big win.”

Krikorian, who ran Uber’s self-driving cars program after serving as Twitter’s vice president of engineering, has instructed staffers at the DNC to use Signal instead of SMS until he and other recent hires on his team finish a weeks-long internal review of the party’s technology and security needs, including a more standardized move to encrypted chat-based messaging that could extend beyond the building to local state parties. That assessment will conclude “pretty soon,” he said, but declined to elaborate on timing.

The review, Krikorian’s “top-of-mind” priority, will determine whether the DNC will follow the other major Democratic committees to the secure workplace messaging app called Wickr, which offers what’s known as end-to-end encryption for chat, voice and video communication, and file exchanges. End-to-end encryption, meant to make messages indecipherable to third parties, is increasingly seen as a necessary security measure for political campaigns and committees on both sides after the sweep of devastating cyberattacks that tore across the Democratic Party in 2016, hitting the DNC, the Democratic Congressional Campaign Committee, and Hillary Clinton’s campaign chairman.

In June, the DCCC became the first known party committee on either side of the partisan divide to transition to an end-to-end encrypted messaging platform. The committee, charged with electing Democrats to the House of Representatives, has been using Wickr to communicate internally and with staff and consultants working on 20 of its most critical campaigns, vulnerable incumbents called “Frontline Democrats.”

DCCC officials have also encouraged the party’s three other main committees — the DNC, the Democratic Governors Association, and the Democratic Senatorial Campaign Committee — to use Wickr as well, according to an operative briefed by the DCCC.

The move would put every major arm of the national party on the same platform.

Two of the other committees, the DGA and the DSCC, recently became customers of Wickr, a spokesman for the technology company said on Thursday. (The DGA, the entity focused on Democratic gubernatorial candidates, confirmed the decision. Its U.S. Senate counterpart, the DSCC, did not respond to a request for comment. Both are listed on Wickr’s website as clients, along with the DCCC.)

The new arrangement makes the DNC the only party committee on the Democratic side not yet on Wickr. Krikorian said the DNC is “currently evaluating” Wickr as part of its ongoing internal review, along with other apps, which he declined to list in full.

“I would absolutely agree: If we’re all on the same platform it would make it a lot easier for all of us,” Krikorian said. “But at the same time, I want to do an honest assessment from the DNC side, considering that all the state parties are looking to us for advice, so I just want to do a real technical assessment before we release our recommendations.”

After the assessment ends, the DNC will “convene” the party’s various committees “when we feel we know what we want to go do, and then we should talk about it,” he said. “We’ll figure it all out together.” (The other groups have already made something of a commitment to Wickr. The program, designed as a collaborative software for offices, is a paid service.)

“I personally want to make sure the most technically secure platform we can find, but I am also aware of the fact that security and usability have trade-offs,” he said. “If it’s a serious pain in the ass to use, no one’s actually gonna use it. I want to get people on the right platform that we want to commit to for years.”

DNC officials have maintained their relationship with Crowdstrike, the cybersecurity firm retained during the hack last summer, according to a person familiar with the arrangement.

Krikorian casts his ongoing review as part an initial push to “right the ship with security.” In the short-term, he said, it’s about the “low-hanging fruit”: better and more frequent cybersecurity education, simulated phishing attacks, two-step verification, moving the office’s email management to cloud services, assessing their threat model.

“The best thing that you can do on the tech side,” he said, is “just trying to understand a priori what your weaknesses might be — what the next weakest link in the chain is, so you can start shoring up.” Last year, it was phishing attacks. “So we’re working on that,” he said, “and we’ll keep on going.”

To do that, Krikorian has made a number of initial hires from Silicon Valley, including Uber’s former program manager for the self-driving cars team, Pam Cardona; Twitter’s former lead software engineer, Jeremy Cloud, and former abuse and internal tools lead, Peter Siebel; the former CTO for the digital company Safari Books, Liza Daly; and two lead engineers from last year’s Clinton campaign, Trisha Quan and Felicity Pereyra.

The party’s security efforts will ultimately extend beyond the DNC itself “to everything and anything that potentially touches us,” according to Krikorian, including state parties. He plans to create a tech help-line for candidates and is also considering “some mass-buys” of technology to provide to candidates and parties outside Washington.

One year after the DNC email hack — a cyberattack that revealed an unfair bias against Bernie Sanders and made the party committee a source of fierce dissatisfaction and distrust among progressives — Krikorian is also hoping for a larger culture change inside headquarters. “You have to remember, it’s also very popular from the outside to sort of shit on the DNC. That’s a common thing to do,” he said. “When I walked in and found demoralized people on the technology team, you talked to them for a while and then you realize that people that still believe in it didn’t choose to jump ship.”

“The mood is changing in the building,” added Krikorian. (The engineer made the leap to Washington, he said, because “I believe in a lot of the ideals of Democrats.”)

Under Krikorian, the new emphasis on security at the DNC, mirrored at other party entities, puts politics-at-large in the cross-section of a long-running and tangled debate over privacy, tech, and security — one that doesn’t adhere to typical partisan lines.

Sen. Dianne Feinstein, a Democrat, emerged as the staunchest opponent of encryption last year when the FBI sought access to encrypted data on the Apple device used by one of the shooters in the San Bernardino terror attack. (Apple refused, setting off a court battle.) Feinstein, who introduced legislation with Republican Sen. Richard Burr that would require tech companies to decrypt data in such cases, suggested this spring that she will restart that effort in Congress. The legislation would be aimed at the same end-to-end encryption technology that is now being adopted inside her own party.

Neither Feinstein’s office, nor Burr’s, provided a comment when asked last month about the recent move by parties and campaigns to rely on encrypted messaging software.

Krikorian’s own position is clear. “My personal belief is that everyone has the right to encrypted communication. I totally understand that not a lot of people are in the same mindset,” he said. “I’m definitely curious how this space plays out over the next few years.”

While Republicans grapple with similar security questions, Krikorian said there has been no “explicit” contact or collaboration between the DNC and the Republican National Committee. He signaled an openness to some kind of partnership, citing practices across company lines in Silicon Valley. Amid security threats at Twitter, he said, “we would always jump on an IRC [Internet Relay Chat] channel with a whole bunch of other tech companies to do coordination there, so this model is tried and proven.”

A spokesman for the RNC did not respond to a question about whether the party would be open to a potential collaboration.

The DNC’s CTO said he has been in contact with Defend Digital Democracy, a new nonpartisan cybersecurity project at Harvard’s Belfer Center for Science and International Affairs, focused on preventing foreign-sponsored hacking. The group, founded in July under two former campaign managers, Clinton’s Robby Mook and Mitt Romney’s Matt Rhoades, could serve as a meeting point for Democrats and Republicans.

According to an internal July memo, Defending Digital Democracy is planning to develop a cybersecurity “playbook” for campaigns and parties at all levels, a training program, a security audit for political vendors, and a system in which a campaign or party could “partner with the private sector and government” to help respond to a security breach. (The Harvard group is also looking to recruit former Homeland Security and National Security Agency officials for a potential “technical advisory board,” as well as representatives from Silicon Valley and Wall Street, the memo says.)

At the DNC, broader tech efforts will also be under Krikorian’s jurisdiction. The central Democratic committee plays no formal role in campaigns outside the presidential election every four years, but DNC officials said the new engineers and data scientists on Krikorian’s team are looking to “reboot” the party’s data infrastructure, starting with an effort to help Democrats’ most crucial campaign this year, the gubernatorial race in Virginia. There are also plans to “upgrade” fundraising tools to free up campaigns’ time elsewhere, and set a higher bar for Democratic vendors when it comes to performance.

With the presidential race already underway — Democrats have one declared candidate, Maryland Rep. John Delaney — the DNC is also sorting out its role in securing fledgling campaigns. (One early phishing email could infiltrate an entire campaign months before it becomes a full operation with established password standards or retention policies.)

Krikorian said the DNC hopes to serve as a cybersecurity resource for all Democrats, including on presidential campaigns, but has not released guidelines yet.

“I would love us to get to the point where if people have technology or security questions, they consider calling the DNC first and we help them out,” he said.